Many of us have used SMS (short message service) text messages before. These allow mobile devices to send back and forth short-form text messages, often as an authentication process to send you passcodes to accounts and services you’re trying to access. They can also be used to relay important announcements from companies and brands.
While using SMS texts is a common practice, just how secure are they? Apparently, there is an entire industry of cybercriminals geared to intercept these messages and extract your sensitive information.
Vice News’s Joseph Cox worked with Lucky225 (a pseudonym), a hacker, to demonstrate how easy it is for third parties to intercept people’s texts and private information via SMS messages. Lucky225 was able to break into Cox’s Postmates and Bumble accounts, showing screenshots of texts that were meant for him that the hacker was now able to access easily.
How did this happen?
At another point, the hacker also took over Cox’s WhatsApp account to text a friend of his. How did Lucky225 do this? The hacker used a service from SMS marketing and messaging company Sakari to reroute Cox’s messages over to him.
“This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target,” Cox writes.
It was very easy for the hacker to utilize this service. He used a prepaid card to purchase Sakari’s $16 monthly plan, filling out a Letter of Authorization (LOA) — or a document that says the signer has permission to switch telephone numbers — with fake information.
Implications are huge
The implications of this demonstration are huge. It means cybercriminals could take control of an unsuspecting person’s phone number to siphon away their bank accounts, hack into social media accounts and harass or blackmail them.
Security website and blog KrebsOnSecurity interviewed Lucky225, a chief information officer for Okey Systems, who revealed that Sakari has now prevented its service from being used with mobile phone numbers following the Vice report.
“It’s not a Sakari thing,” Lucky225 told the blog. “It’s an industry-wide thing. There are many of these ‘SMS enablement’ providers.”
KrebsOnSecurity reports that the most common method cybercriminals use to take over SMS messaging is to “swim swap,” which means to bribe or fool wireless phone company employees to modify customer account information. These hackers can redirect a person’s phone number to a device the cybercriminal controls, ultimately receiving that person’s private calls and messages. They can then reset any password they’d like.
What should you do? The security blog recommends avoiding SMS altogether and consider removing your phone numbers from online accounts. Instead, embrace multi-factor authentication and strong passwords. They also suggest removing your phone number as a backup for email, bank or social media resets. Instead, you should use other email accounts or authentication methods as account recovery methods rather than relying on these text messages.